[Txauth] Decoupling consent and authorization

Fabien Imbault <fabien.imbault@gmail.com> Mon, 03 August 2020 11:15 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C17683A0E53 for <txauth@ietfa.amsl.com>; Mon, 3 Aug 2020 04:15:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qvlXHGDJXB2s for <txauth@ietfa.amsl.com>; Mon, 3 Aug 2020 04:15:39 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F4B43A0E50 for <txauth@ietf.org>; Mon, 3 Aug 2020 04:15:39 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id l1so38074181ioh.5 for <txauth@ietf.org>; Mon, 03 Aug 2020 04:15:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=CPutkGCMnphipXYfsKrdMQa/RVHWEDh5x7quBRW4pug=; b=BMa5V/fgzQvXYqukxjKxij3dguQyIEYqaVN5loqgtubToVZHwyLi67Gr9PwukdL9Vp INJvk6rxHzPAF5873tol2a+xYesA0MvFYH2I4yGT5xNVcQL9h7YAd0mKVFMd02eHVcVA wiPGKiwc+DYuvID9ekwXOp9gXJayUP5i2fpqO3OuqHd9aUrwb8gmFBdprsSOlctV2WRE IMMFOeMlH5mevs7NKjAICGJbqd64LZkGPOdGu7DKvrtjiVKMwAAsaTGKkue8G2VE45CQ OhWDSV7AvJuDFIK0ADducshgBxVZoU+dVdSjIpHwXDCIhUBCDTAepWTTJGUz4Ga1EmzJ aLcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=CPutkGCMnphipXYfsKrdMQa/RVHWEDh5x7quBRW4pug=; b=UvwzVQEPV6OY0FLPa95DdIMA50gjr1cAKpYXqo5lSfo43xSjakW2UZUgsbhPetR0Ba cdp6Pwnuuu06HVjL2FxNrmGdtCturhUA8I+h4/1Re26d72ft8E5+wY2nyicSi2fiX9o3 SlQCHl1ITKdl+RZaYXeQdRrR0UblKCqX7JYVuc/uUmNZlJJFh8a04QrOb7QS5R0Hxk/w tojfdH4slt2127aRGZG/ONb+DgVbrNHdP1+bSNvsKIdNaNlhtRuj+6r2a6jE0I+PWqUV l/IGeS1dp7DMZLnChZ7SeRoXWwFw/YKPzbC+t6MOOWZrE7hp44t9FTrI1yI1egY9TGiA FeWQ==
X-Gm-Message-State: AOAM531R7SIIUeaC++0rRA14DA7OxIWyLds7FnwbTXlZTQq2nCgrRN73 i7plJsud78Nx4qPVt5UFzWLvajUzrynr5fSwZBTh9lBJbwk=
X-Google-Smtp-Source: ABdhPJxuk4NX5A73f6iZ6JE8ayK+ul9S38jxYzattI3bTGkne0n5EzePg5pxY57FFdU5vkAJN5RW9yQJZ2n1mRd0Hzs=
X-Received: by 2002:a5d:841a:: with SMTP id i26mr16095900ion.144.1596453338412; Mon, 03 Aug 2020 04:15:38 -0700 (PDT)
MIME-Version: 1.0
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Mon, 3 Aug 2020 13:15:27 +0200
Message-ID: <CAM8feuQT6XVDao8VE-ZgJkZwWPaXzVTWWy7SdhjJtBRuVyjwSA@mail.gmail.com>
To: txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000022fbb005abf74283"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/hor8bgMqPNcGTqlQ44_Hqxnf1go>
Subject: [Txauth] Decoupling consent and authorization
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 11:15:41 -0000

Hello,

This is a new thread.

I have just published a proof of concept that separates the interaction
from the rest of the AS. The goal is to open up the door to a privacy
preserving flow such as the one suggested by Denis (the interaction may be
handled by a Client endpoint, if it wishes), as well as to optimize the
implementation to each concern (UX for consent vs authorization flows).

Note that it ends up being an implementation detail as far as the Client is
concerned, as the core request/response format wasn't changed from the
original XYZ protocol.

The code and documentation is available publicly at:
https://github.com/acertio/mvp_gnap_interact

The flow is sketched and explained at
https://github.com/acertio/mvp_gnap_interact/blob/master/Redirect.md#process

Let me know what you think.

Cheers

Fabien